2009-07-05
-commented out list stuff for now
-commented out graph stuff for now
- outline:
assume cleangraph
assert invariant (i.e., assert either (t is null implies stackingraph, or t not null implies t marked with marked graph and stack, or t not null implies t marked and cleangraph and stack in graph)  This doesn't seem to make sense since invariant is an implies, but whatever :)
now three cases, one for each invariant chunk
3x: assume a case together with positive guard, and show one of the three invariants follow after executing body
finally, assume invariant together with neg guard, and prove final assertion

- what if when we need to check assertion split, we really split off and leave "rest of program" in another thread?
- for assumptions, cases occur in order
- for assertions, 

- two ands in a row and he flips out?
